CN110830996B - Key updating method, network equipment and terminal - Google Patents

Key updating method, network equipment and terminal Download PDF

Info

Publication number
CN110830996B
CN110830996B CN201810899168.9A CN201810899168A CN110830996B CN 110830996 B CN110830996 B CN 110830996B CN 201810899168 A CN201810899168 A CN 201810899168A CN 110830996 B CN110830996 B CN 110830996B
Authority
CN
China
Prior art keywords
key
3gpp
access
updated
3gpp access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810899168.9A
Other languages
Chinese (zh)
Other versions
CN110830996A (en
Inventor
毕晓宇
侯云静
王胡成
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Datang Mobile Communications Equipment Co Ltd
Original Assignee
大唐移动通信设备有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 大唐移动通信设备有限公司 filed Critical 大唐移动通信设备有限公司
Priority to CN201810899168.9A priority Critical patent/CN110830996B/en
Publication of CN110830996A publication Critical patent/CN110830996A/en
Application granted granted Critical
Publication of CN110830996B publication Critical patent/CN110830996B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/0005Control or signalling for completing the hand-off
    • H04W36/0011Control or signalling for completing the hand-off for data sessions of end-to-end connection
    • H04W36/0033Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information
    • H04W36/0038Control or signalling for completing the hand-off for data sessions of end-to-end connection with transfer of context information of security context information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/12Reselecting a serving backbone network switching or routing node

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The invention provides a key updating method, network equipment and a terminal, which solve the problem that a processing mode for updating a non-3GPP access key is lacked under a multi-registration scene in the current standard. The key updating method of the embodiment of the invention comprises the following steps: acquiring an updated access layer key for non-3GPP access under the condition that a terminal is registered in a service network of the same public land mobile network PLMN through a 3GPP access mode and a non-3GPP access mode and meets a preset key updating condition; and sending the updated access layer key for non-3GPP access to a non-3GPP interactive network function N3 IWF. The embodiment of the invention realizes the updating of the non-3GPP access layer key under the multi-registration scene.

Description

Key updating method, network equipment and terminal
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a key updating method, a network device, and a terminal.
Background
Compared with a 4G Network, a 5G Network provides a multi-registration scenario, that is, a UE (User Equipment or terminal) can simultaneously access a service Network of the same or different PLMNs (Public Land Mobile networks) through 3GPP and non-3 GPP.
When the UE is simultaneously registered to the access and mobile management function AMF of the same PLMN through the 3GPP access and the non-3GPP access, the NAS connection established by the UE through the two access modes uses the same key, namely the root key KAMFThe same is true. When the source AMF updates a new KAMFAnd sends to the target KAMFMeanwhile, the UE also synchronously updates the KAMFMeanwhile, UE and AMF synchronously calculate the key K of Access Stratum (AS) for 3GPP Access establishmentgNBAnd the new key identification is the same AS the currently used key identification ngKSI, but the AS key K used by the current non-3GPP access is not updatedN3IWFThis results in the problem of key asynchronism caused by the fact that the same ngKSI identifies two different sets of keys in the UE and the AMF, and a processing description of non-3GPP access key update is lacking in the multi-registration scenario in the current standard.
Disclosure of Invention
The invention aims to provide a key updating method, network equipment and a terminal, which are used for solving the problem that a processing mode for updating a non-3GPP access key is lacked under a multi-registration scene in the current standard.
In order to achieve the above object, an embodiment of the present invention provides a key updating method, applied to an access and mobility management function AMF, including:
acquiring an updated access layer key for non-3GPP access under the condition that a terminal is registered in a service network of the same public land mobile network PLMN through a 3GPP access mode and a non-3GPP access mode and meets a preset key updating condition;
and sending the updated access layer key for non-3GPP access to a non-3GPP interactive network function N3 IWF.
The preset key updating condition is that the terminal is switched through a preset connection interface of a 3GPP access technology, the source AMF updates a root key, and the target AMF determines to use the updated root key;
or, the preset key updating condition is that the source AMF triggers a security context updating process corresponding to the 3GPP access mode or triggers a security context updating process corresponding to the non-3GPP access mode.
When the preset key updating condition is that the terminal is switched through a preset connection interface of a 3GPP access technology, the source AMF updates a root key, and the target AMF determines to use the updated root key;
the acquiring the updated access stratum key for the non-3GPP access includes:
receiving a root key updating indication and an updated root key sent by a source AMF;
calculating an updated non-access stratum key according to the updated root key;
and if the target AMF acquires the N3IWF information from the source AMF, the target AMF establishes connection with the N3IWF and acquires the updated access layer key.
Wherein, sending the updated access layer key for non-3GPP access to the non-3GPP interactive network function N3IWF includes:
and sending a non-3GPP key updating instruction and an updated access layer key for non-3GPP access to the N3 IWF.
Wherein, sending the updated access layer key for non-3GPP access to the non-3GPP interactive network function N3IWF includes:
adding a non-3GPP key updating instruction, an updated access stratum key for non-3GPP access and a calculation parameter for calculating the access stratum key in the created non-access stratum security container;
sending the non-access stratum secure container to a source AMF through a security context update message, and sending the non-access stratum secure container to a terminal through the source AMF;
and after the terminal completes the switching of the preset connection interface according to the non-access layer security container, sending a non-3GPP key updating instruction and an updated access layer key for non-3GPP access to the N3 IWF.
When the preset key updating condition is that the source AMF triggers a security context updating process corresponding to a 3GPP access mode or triggers a security context updating process corresponding to a non-3GPP access mode;
sending the updated access layer key for non-3GPP access to a non-3GPP interworking network function N3IWF, comprising:
and sending the updated access layer key for non-3GPP access to the N3IWF through a security context updating message.
In order to achieve the above object, an embodiment of the present invention further provides a key updating method, which is applied to a non-3GPP interactive network function N3IWF, and includes:
and under the condition of receiving the access layer key for non-3GPP access sent by the target AMF, sending a non-3GPP key updating instruction and a calculation parameter to the terminal, wherein the calculation parameter is a parameter for calculating the updated access layer key for non-3GPP access.
Sending a non-3GPP key update instruction and a calculation parameter to a terminal, wherein the method comprises the following steps:
sending a non-3GPP key updating instruction and a calculation parameter to a terminal through a preset message;
the preset message is an Internet key exchange authentication request, a sub-security association establishment request or an informing exchange message.
In order to achieve the above object, an embodiment of the present invention further provides a key updating method, applied to a terminal, including:
acquiring a non-3GPP key updating instruction and a calculation parameter sent by an N3IWF, wherein the calculation parameter is a parameter for calculating an updated access layer key for non-3GPP access;
and acquiring the updated access layer key for non-3GPP access according to the non-3GPP key updating indication and the calculation parameters.
After obtaining the updated access layer key for the non-3GPP access, the method further includes:
notifying the N3IWF of the completion of the non-3GPP key update by the notify exchange message.
The acquiring of the non-3GPP key update indication and the calculation parameters sent by the N3IWF comprises the following steps:
acquiring a non-3GPP key updating instruction and a calculation parameter through a preset message;
the preset message is an Internet key exchange authentication request, a sub-security association establishment request or an informing exchange message.
In order to achieve the above object, an embodiment of the present invention further provides a network device, where the network device is an access and mobility management function AMF, and the network device includes: a transceiver, a memory, a processor, and a program stored on the memory and executable on the processor, the processor implementing the steps when executing the program of:
acquiring an updated access layer key for non-3GPP access under the condition that a terminal is registered in a service network of the same public land mobile network PLMN through a 3GPP access mode and a non-3GPP access mode and meets a preset key updating condition;
and sending the updated access layer key for the non-3GPP access to a non-3GPP interactive network function N3IWF through a transceiver.
The preset key updating condition is that the terminal is switched through a preset connection interface of a 3GPP access technology, the source AMF updates a root key, and the target AMF determines to use the updated root key;
or, the preset key updating condition is that the source AMF triggers a security context updating process corresponding to the 3GPP access mode or triggers a security context updating process corresponding to the non-3GPP access mode.
When the preset key updating condition is that the terminal is switched through a preset connection interface of a 3GPP access technology, the source AMF updates a root key, and the target AMF determines to use the updated root key;
the processor, when executing the program, further implements the steps of:
receiving a root key updating indication and an updated root key sent by a source AMF;
calculating an updated non-access stratum key according to the updated root key;
and if the target AMF acquires the N3IWF information from the source AMF, the target AMF establishes connection with the N3IWF and acquires the updated access layer key.
Wherein the processor, when executing the program, further implements the steps of:
and sending a non-3GPP key updating instruction and an updated access layer key for non-3GPP access to the N3 IWF.
Wherein the processor, when executing the program, further implements the steps of:
adding a non-3GPP key updating instruction, an updated access stratum key for non-3GPP access and a calculation parameter for calculating the access stratum key in the created non-access stratum security container;
sending the non-access stratum secure container to a source AMF through a security context update message, and sending the non-access stratum secure container to a terminal through the source AMF;
and after the terminal completes the switching of the preset connection interface according to the non-access layer security container, sending a non-3GPP key updating instruction and an updated access layer key for non-3GPP access to the N3 IWF.
When the preset key updating condition is that the source AMF triggers a security context updating process corresponding to a 3GPP access mode or triggers a security context updating process corresponding to a non-3GPP access mode;
the processor, when executing the program, further implements the steps of:
and sending the updated access layer key for non-3GPP access to the N3IWF through a security context updating message.
In order to achieve the above object, an embodiment of the present invention further provides a computer-readable storage medium on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the key updating method as described above.
In order to achieve the above object, an embodiment of the present invention further provides a network device, where the network device is a non-3GPP interactive network function N3IWF, and the network device includes: a transceiver, a memory, a processor, and a program stored on the memory and executable on the processor, the processor implementing the steps when executing the program of:
and under the condition of receiving the access layer key for non-3GPP access sent by the target AMF, sending a non-3GPP key updating instruction and a calculation parameter to the terminal, wherein the calculation parameter is a parameter for calculating the updated access layer key for non-3GPP access.
Wherein the processor, when executing the program, further implements the steps of:
sending a non-3GPP key updating instruction and a calculation parameter to a terminal through a preset message;
the preset message is an Internet key exchange authentication request, a sub-security association establishment request or an informing exchange message.
In order to achieve the above object, an embodiment of the present invention further provides a computer-readable storage medium on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the key updating method as described above.
In order to achieve the above object, an embodiment of the present invention further provides a terminal, including: a transceiver, a memory, a processor, and a program stored on the memory and executable on the processor, the processor implementing the steps when executing the program of:
acquiring a non-3GPP key updating instruction and a calculation parameter sent by an N3IWF, wherein the calculation parameter is a parameter for calculating an updated access layer key for non-3GPP access;
and acquiring the updated access layer key for non-3GPP access according to the non-3GPP key updating indication and the calculation parameters.
Wherein the processor, when executing the program, further implements the steps of:
notifying the N3IWF of the completion of the non-3GPP key update by the notify exchange message.
Wherein the processor, when executing the program, further implements the steps of:
acquiring a non-3GPP key updating instruction and a calculation parameter through a preset message;
the preset message is an Internet key exchange authentication request, a sub-security association establishment request or an informing exchange message.
In order to achieve the above object, an embodiment of the present invention further provides a computer-readable storage medium on which a computer program is stored, where the computer program, when executed by a processor, implements the steps of the key updating method as described above.
In order to achieve the above object, an embodiment of the present invention further provides a network device, where the network device is an access and mobility management function AMF, and the network device includes:
a first obtaining module, configured to obtain an updated access stratum key for non-3GPP access when a terminal is registered in a service network of a same public land mobile network PLMN in a 3GPP access manner and a non-3GPP access manner and meets a preset key update condition;
and the first sending module is used for sending the updated access layer key for non-3GPP access to the non-3GPP interactive network function N3 IWF.
The preset key updating condition is that the terminal is switched through a preset connection interface of a 3GPP access technology, the source AMF updates a root key, and the target AMF determines to use the updated root key;
or, the specific key updating condition is that the source AMF triggers a security context updating process corresponding to the 3GPP access mode or triggers a security context updating process corresponding to the non-3GPP access mode.
When the preset key updating condition is that the terminal is switched through a preset connection interface of a 3GPP access technology, the source AMF updates a root key, and the target AMF determines to use the updated root key;
the first obtaining module comprises:
the receiving submodule is used for receiving a root key updating instruction and an updated root key sent by the source AMF;
the calculation submodule is used for calculating an updated non-access stratum key according to the updated root key;
and the obtaining submodule is used for establishing connection between the target AMF and the N3IWF and obtaining the updated access layer key if the target AMF obtains the N3IWF information from the source AMF.
The first sending module is configured to send a non-3GPP key update indication and an updated access stratum key for non-3GPP access to the N3 IWF.
Wherein the first transmitting module comprises:
an adding module, configured to add a non-3GPP key update instruction, an updated access stratum key for non-3GPP access, and a calculation parameter for calculating the access stratum key to the created non-access stratum security container;
the first sending submodule is used for sending the non-access stratum security container to a source AMF through a security context updating message and sending the non-access stratum security container to a terminal through the source AMF;
and the second sending submodule is used for sending a non-3GPP key updating instruction and an updated access stratum key for non-3GPP access to the N3IWF after the terminal completes the switching of the preset connection interface according to the non-access stratum security container.
When the preset key updating condition is that the source AMF triggers a security context updating process corresponding to a 3GPP access mode or triggers a security context updating process corresponding to a non-3GPP access mode;
the first sending module is used for sending the updated access layer key for non-3GPP access to the N3IWF through a security context updating message.
In order to achieve the above object, an embodiment of the present invention further provides a network device, where the network device is a non-3GPP interactive network function N3IWF, and the network device includes:
and a second sending module, configured to send, to the terminal, a non-3GPP key update instruction and a calculation parameter when receiving an access stratum key for non-3GPP access sent by the target AMF, where the calculation parameter is a parameter used for calculating an updated access stratum key for non-3GPP access.
The second sending module is used for sending a non-3GPP key updating instruction and a calculation parameter to the terminal through a preset message;
the preset message is an Internet key exchange authentication request, a sub-security association establishment request or an informing exchange message.
In order to achieve the above object, an embodiment of the present invention further provides a terminal, including:
a second obtaining module, configured to obtain a non-3GPP key update instruction and a calculation parameter sent by an N3IWF, where the calculation parameter is a parameter used for calculating an updated access layer key used for non-3GPP access;
and a third obtaining module, configured to obtain, according to the non-3GPP key update instruction and the calculation parameter, an updated access stratum key for non-3GPP access.
Wherein, above-mentioned terminal station still includes:
and the notification module is used for notifying the N3IWF of completing the non-3GPP key updating through notifying the exchange message.
The second obtaining module is used for obtaining a non-3GPP key updating instruction and a calculation parameter through a preset message;
the preset message is an Internet key exchange authentication request, a sub-security association establishment request or an informing exchange message.
The embodiment of the invention has the following beneficial effects:
according to the technical scheme of the embodiment of the invention, under the condition that the terminal is registered in the service network of the same public land mobile network PLMN through a 3GPP access mode and a non-3GPP access mode and meets the preset key updating condition, the updated access layer key for non-3GPP access is obtained; and sending the updated access layer key for non-3GPP access to a non-3GPP interactive network function N3IWF, thereby realizing the update of the non-3GPP access layer key under the multi-registration scene.
Drawings
FIG. 1 is a flowchart illustrating one embodiment of a key update method according to the present invention;
fig. 2 is a schematic diagram of a first interaction between a terminal and a network device according to an embodiment of the present invention;
fig. 3 is a schematic diagram of a second interaction between a terminal and a network device according to an embodiment of the present invention;
fig. 4 is a third interaction diagram of the terminal and the network device in the embodiment of the present invention;
FIG. 5 is a flowchart of a key update method according to another embodiment of the present invention;
FIG. 6 is a flowchart illustrating a third embodiment of a key update method;
fig. 7 is a block diagram of a network device AMF according to an embodiment of the present invention;
fig. 8 is a schematic block diagram of a network device AMF according to an embodiment of the present invention;
fig. 9 is a block diagram of the architecture of the network device N3IWF in an embodiment of the present invention;
fig. 10 is a block diagram of a network device N3IWF according to an embodiment of the present invention;
fig. 11 is a block diagram of a terminal according to an embodiment of the present invention;
fig. 12 is a block diagram of a terminal according to an embodiment of the present invention.
Detailed Description
In order to make the technical problems, technical solutions and advantages of the present invention more apparent, the following detailed description is given with reference to the accompanying drawings.
Several handover scenarios are provided in 5G networks: intersystem handover, Xn handover (handover between base stations gNB within the system) and N2 handover (handover between access and mobility management functions AMF within the system). The N2 handover means that the handover to the target gNB needs to be performed by means of a new appropriate AMF. N2 is an interface or reference point between the 5G access network and the access mobility management function, and the flow of N2 handover includes:
(1) and the source gNB sends a Handover request message to the source AMF.
The handover request message includes a Target ID, a Source to Target transparent container (Source to Target transparent container), a Session management N2information list (SM N2info list), a protocol data unit Session identifier (PDU Session IDs), and an intra-system handover indication.
(2) And selecting a target AMF. When the source AMF can no longer serve the UE, the source AMF will select the target AMF as specified in the standard.
(3) The source AMF sends an AMF Communication create UE context Request (Namf _ Communication _ createeuecontext Request) message to the target AMF.
The Namf _ Communication _ CreateUEContext Request message includes the N2 message Information, UE context Information. The source AMF initiates the handover resource allocation procedure by sending a Namf _ Communication _ creatuecontext service to the target AMF.
Wherein the N2 message includes: target ID, Source to Target transaction container, SM N2information list, PDU Session IDs, service area restriction;
the UE context information includes: the network slice selection method comprises the following steps of a subscriber permanent identity (SUPI), network slice selection auxiliary information (Allowed NSSAI for Access Type if available), a network slice Access identity (the list of PDU Session IDs) Allowed by Allowed Access types, corresponding SMF information and corresponding single network slice selection auxiliary information (S-NSSAI (S)), a policy control function (PCF ID) and a Data Network Name (DNN).
(4): the target AMF sends an SMF PDU session update session context (Nsmf _ PDU _ update smcontext) message to the session management function SMF.
The Nsmf _ pdusesion _ UpdateSMContext message contains a PDU Session ID, a Target ID, and a Target AMF ID.
(5) Based on the Target ID, the SMF verifies whether the PDU Session indicated by N2 Handover can be received. The SMF verifies against The UPF selection criteria that if The UE mobility range is out of The range of The UPF, The SMF will select a new UPF.
(6) The SMF sends an SMFPDU Session update Session context Response (Nsmf _ PDU _ update smcontext Response) message to the target AMF, which includes a PDU Session ID, N2 SM Information, and a reason for non-acceptance.
(7) The Target AMF sends a Handover Request to the Target gNB, wherein the Handover Request includes Source to Target transfer container, N2 mobility Information (N2 MM Information), N2 Session Information List (N2 SM Information List), Handover Restriction List (Handover Restriction List), and Non-allowed PDU Session List (Non-allowed PDU Session List).
(8) And the target gNB sends a Handover Request confirmation Handover Request acknowledgement to the target AMF.
The handover request acknowledgement includes Target to Source transit container, N2 SM response list, PDU session failed to be setup list, and Target base station session management N3 interface forwarding Information list (Target gNB SM N3 forwarding Information list).
(9) The target AMF sends SMFPDU Session update SM context Request (Nsmf _ PDSUSessionUpdateSMContext Request) to the SMF, and the SMFPDU Session update SM context Request comprises PDU Session ID, N2 SM response and target gNB SM N3 forwarding Information list.
(10) The SMF sends an SMF PDU session update session context Response (Nsmf _ PDU _ update smcontext Response), i.e., N2 SM Information, to the target AMF. For each PDU session, the SMF sends an SMF PDU session update session context Response (Nsmf _ PDU _ update smcontext Response) message to the target AMF.
(11) The target AMF sends a Namf _ Communication _ CreateUEContext Response to the source AMF.
N2 necessary Information (N2 Information recovery) is used for the Source AMF to send Handover Command to the Source gNB, which includes Target to Source transaction manager, PDU session failed to be session list, N2 SM Information (N3 DL forwarding Information).
(12) The Source AMF sends a Handover Command message to the Source gNB, wherein the Handover Command message comprises Target to Source transaction contact, protocol data Unit session failure establishment list (PDU session failed to be setup list), and SM forwarding info list. When receiving, i.e., forwarding, Target to Source transit container from the Source AMF. The SM forwarding info list contains a target gNB SM N3 forwarding info list or a source user plane function session management N3 forwarding information list (S-UPF SM N3 forwarding info list) for direct forwarding and indirect forwarding of data. The source gNB determines whether to perform the N2 handover procedure through the PDUs passed to setup list and the indicated recovery for failure.
(13) The source gNB sends a Handover Command (Handover Command) to the UE, which includes the UE container. The UE container is the UE part of the Target to Source transit container, which is transparently sent from the Target gNB to the Source gNB through the AMF and sent by the Source gNB to the UE.
(14) The UE sends a Handover Confirm (Handover Confirm) message to the target gNB. When the UE is successfully synchronized with the target message, the UE sends a Handover Confirm message to the target gNB, and the UE considers that the Handover is successfully completed in the UE through the message.
(15) And the target gNB sends a Handover Notify message to the target AMF, and the message indicates that the Handover is successfully completed in the target gNB.
Meanwhile, the description of the prior art for the safety protection of the N2 switching process in the TS33.501 is as follows: upon receiving the NGAP HANDOVER REQUIRED message, the source AMF increments the NCC value held locally by 1 and calculates a new NH. The source AMF will use K in the currently active 5GS NAS SecurityAMFA new NH is calculated. The source AMF will send { NH, NCC } to the target AMF via the Namf _ Communication _ CreateUEContext Request. K for calculating { NH, NCC } will be additionally included in the Namf _ Communication _ CreateUEContext Request messageAMFAnd the corresponding ngKSI.
It is noted that, unlike in LTE networks, in the single registration scenario, the N2 handover scenario of the 5G network takes into account the scenario where handover occurs simultaneously with the source AMF key update, i.e. the source AMF will update KAMFAnd is sent to the target AMF concurrently or the target AMF enables a new K due to the policy requirementAMFA key.
Processing description of AMF: if the source AMF has passed a new KAMFA new 5G NAS security context is activated, which is different from the current 5G AS security context based, the Namf _ Communication _ createcontext Request message will additionally contain a K _ AMF _ CI (K)AMFChange Indicator) meaning a transmitted KAMFIs a new key. The source AMF uses local policy to decide whether to execute a level KAMFAnd (6) deduction. If executed, Namf _ Communication _ CreateUEContext Request an indication description KAMFHas been recalculated and the downlink NAS COUNT will be used to calculate the sent KAMF. New KAMFHas the same value as the ngKSI of the current key, the source AMF will contain ng KSI in the Namf _ Communication _ createcontext Request, the source AMF increments the downlink NAS COUNT by 1. If target AMF receives an indication that a new K is indicatedAMFIt has been calculated that it will be necessary to create a NASC (NAS container) containing the K _ AMF _ change flag, the received Downlink non-Access stratum counter value (downlink NAS COUNT), the ngKSI, the selected non-Access stratum Security Algorithm (selected NAS security algorithms), the UE's security capabilities (UE security capabilities), and<check value of non-access stratum (NAS MAC)>. NASC is included in the next generation application protocol handoff REQUEST (NGAP HANDOVER REQUEST) issued to target gNB.
And g NB processing: the target gNB will send the UE delete the currently unused { NH, NCC } pair, with the NCC value in the handover Command (HO Command message) containing the { NH, NCC } pair, and NASC (if received). If the target gNB has received the root key change indication K _ AMF _ CI, the key change indication (keyChangeIndicator) field in the HO Command message must be set to true.
And processing of the UE: the UE will be based on the received KAMFFurther calculate KAMFAnd assign ngKSI to new KsAMFTo the NAS security context and selects NAS security algorithms in NASC. The UE will further verify in NASC<NAS MAC>If the verification is successful, the UE will use the acquired KAMFAnd calculating a temporary K for a NAS COUNT of 0gNBKey (temporary K)gNB)。
In addition, for K in the standardN3IWFDescription of the key of (1): kN3IWFWill always be used for access of the UE through non-3GPP to 5GC unless re-authentication is performed. For the multi-registration scenario provided by the 5G network, in TS33.501, the description of the scenario is: if the UE is simultaneously registered in the serving networks of different PLMNs through 3GPP and non-3GPP, the UE will maintain and use two different sets of security contexts independently. If the UE is registered in the serving network of the same PLMN through 3GPP and Non-3GPP at the same time, the access and mobility management functions AMF and the UE will establish a set of generic Non-access stratum (NAS) security contexts, which are established at the first registration and contain a set of NAS keys and algorithms. AMF and UE are also secured in a generic NASThe context contains specific parameters for each NAS connection, i.e. a pair of uplink and downlink NAS COUNT values and a NAS connection identity unique to each connection. The NAS connection identifier established for the 3GPP access is 0, and the NAS connection identifier established for the non-3GPP access is 1.
According to the principle of key synchronization, if the NAS key in the network changes, the Access Stratum (AS) key should also change, otherwise, signaling and data cannot be encrypted, integrity protection cannot be performed, and decryption or integrity verification cannot be completed. At the time of non-3GPP access in the current 33.501 standard, the key of 5G AS is KN3IWFProduced in a manner similar to KgNBBased on KAMFAnd NAS COUNT, etc. To KN3IWFThe current description is: non-3GPP interworking network function N3IWF will use KN3IWFAs MSK for IKEv2 flow between UE and N3 IWF. In the IKEv2 protocol, the MSK is called a master session key, and is used for authentication when IKE, ESP/AH SA is established in the IKEv2 process, that is, during the process of establishing IPsec SA, the authentication request IKE _ AUTH exchange is performed through internet key exchange authentication, and the Authentication (AUTH) parameter in the message Payload is calculated through the MSK, and if the MSK changes, the IKEv2 message cannot be authenticated. However, when the UE is simultaneously registered to the access and mobility management function AMF of the same PLMN through the 3GPP access and the non-3GPP access, the target standard lacks a processing mode for updating the non-3GPP access key.
In order to solve the problem that a non-3GPP access key update processing manner is lacking in a multi-registration scenario in the current standard, as shown in fig. 1, an embodiment of the present invention provides a key update method, which is applied to an access and mobility management function AMF, where the AMF is specifically a target AMF, and the method includes:
step 101: and under the condition that the terminal is registered in a service network of the same public land mobile network PLMN through a 3GPP access mode and a non-3GPP access mode and meets a preset key updating condition, acquiring an updated access layer key for non-3GPP access.
The preset key updating condition is that the terminal is switched through a preset connection interface of a 3GPP access technology, a source AMF updates a root key, and a target AMF determines to use the updated root key;
or, the preset key updating condition is that the source AMF triggers a security context updating process corresponding to the 3GPP access mode or triggers a security context updating process corresponding to the non-3GPP access mode.
The preset connection interface is N2, and N2 is an interface or a reference point between the 5G access network and the access mobility management function.
It should be noted that, the source AMF triggers the security context update process corresponding to the 3GPP access scheme or triggers the security context update process corresponding to the non-3GPP access scheme, which may change the root key.
Step 102: and sending the updated access layer key for non-3GPP access to a non-3GPP interactive network function N3 IWF.
Specifically, the updated access stratum key for non-3GPP access may be sent to the non-3GPP interworking network function N3IWF through the context update message.
In the key updating method of the embodiment of the invention, under the condition that a terminal is registered in a service network of the same public land mobile network PLMN through a 3GPP access mode and a non-3GPP access mode and meets a preset key updating condition, an updated access layer key for non-3GPP access is obtained; and sending the updated access layer key for non-3GPP access to a non-3GPP interactive network function N3IWF, thereby realizing the update of the non-3GPP access layer key under the multi-registration scene.
When the preset key update condition is that the terminal performs preset connection interface switching through a 3GPP access technology, the source AMF updates the root key, and the target AMF determines to use the updated root key, the acquiring, in step 101, the updated access layer key for non-3GPP access includes:
receiving a root key updating indication and an updated root key sent by a source AMF;
calculating an updated non-access stratum key according to the updated root key;
and if the target AMF acquires the N3IWF information from the source AMF, the target AMF establishes connection with the N3IWF and acquires the updated access layer key.
Based on this, as a first optional implementation manner, the step 102 sends the updated access stratum key for non-3GPP access to the non-3GPP interworking network function N3IWF, which includes:
and sending a non-3GPP key updating instruction and an updated access layer key for non-3GPP access to the N3 IWF.
In the first implementation manner, when the UE performs the preset connection interface switching through the 3GPP access technology in the multi-registration scenario, the UE switches the NAS connection accessed through the non-3GPP to the new target AMF, the N3IWF establishes a new connection with the target AMF, and the target AMF obtains the updated root key KAMFLater, it will need to be based on KAMFDeduction KN3IWFAnd the context update message is sent to the N3IWF, so that the UE synchronously updates the key by two access modes, and the problem of different keys is avoided.
The following describes a specific flow of the first implementation.
As shown in fig. 2, the process includes:
step 201: the UE is registered to the serving network of the same PLMN through both 3GPP and non-3GPP access technologies.
I.e. both NAS of the UE are connected to the same AMF and secure using a common NAS security context.
Step 202: due to the UE position change, the UE is switched to the target AMF through the 3GPP access technology, and at the moment, the UE is switched to the target AMF through the NAS connection accessed by the non-3 GPP.
The target AMF has the same PLMN as the source AMF.
Step 203: the source AMF has undergone a key update.
The key update here specifically refers to update of the root key KAMF.
Step 204: the target AMF receives the key updating indication and the updated KAMFAnd calculates the updated NAS key.
Step 205: and if the target AMF acquires the information of the N3IWF from the source AMF, establishing connection with the N3 IWF.
Step 206: the target AMF will calculate a new K based on the local NAS COUNT valueN3IWF
Step 207: target AMF sends key update indication and new K to N3IWFN3IWF
Step 208: the N3IWF sends a response message to the target AMF.
Step 209: n3IWF receives new KN3IWFAnd delete old KN3IWF
Step 210: n3IWF carries K through IKE _ AUTH Request informationN3IWFAnd the change indication and the NAS COUNT are sent to the UE.
Step 211: UE based on new KAMFAnd the received NAS COUNT calculates a new KN3IWFAnd delete old KN3IWF
Step 212: the UE informs the N3IWF that the non-3GPP AS key update is complete.
In this embodiment, a message interaction procedure of security context update between the target AMF and the N3IWF is added, and a key update instruction and a new key are sent to the N3IWF by the target AMF, that is, a process of updating a non-3GPP AS key is added between the UE and the N3 IWF.
It should be noted that there is no restriction on the order of the step 208 and the step 209, that is, the step 208 may be executed first, or the step 209 may be executed first.
In addition, the interworking of the messages between the N3IWF and the UE can be completed through an internet key announcement Exchange message IKE _ Information Exchange.
As shown in fig. 3, the process may further include:
step 301: the UE is registered to the serving network of the same PLMN through both 3GPP and non-3GPP access technologies.
I.e. both NAS of the UE are connected to the same AMF and secure using a common NAS security context.
Step 302: due to the UE position change, the UE is switched to the target AMF through the 3GPP access technology, and at the moment, the UE is switched to the target AMF through the NAS connection accessed by the non-3 GPP.
The target AMF has the same PLMN as the source AMF.
Step 303: the source AMF has undergone a key update.
The key update here specifically refers to the root key KAMFAnd (4) updating.
Step 304: the target AMF receives the key updating indication and the updated KAMFAnd calculates the updated NAS key.
Step 305: and if the target AMF acquires the information of the N3IWF from the source AMF, establishing connection with the N3 IWF.
Step 306: the target AMF will calculate a new K based on the local NAS COUNT valueN3IWF
Step 307: target AMF sends key update indication and new K to N3IWFN3IWF
Step 308: the N3IWF sends a response message to the target AMF.
Step 309: n3IWF receives new KN3IWFAnd delete old KN3IWF
Step 310: n3IWF carries K through Creat Child SA Request informationN3IWFAnd the change indication and the NAS COUNT are sent to the UE.
Step 311: UE based on new KAMFAnd the received NAS COUNT calculates a new KN3IWFAnd delete old KN3IWF
Step 312: and the UE informs the N3IWF of finishing updating the non-3GPP AS key through Creat Child SA replay.
It should be noted that there is no restriction on the order of the steps 308 and 309, that is, the step 308 may be executed first, or the step 309 may be executed first.
The flow shown in fig. 3 is different from the flow shown in fig. 2in that the interactive message between the UE and the N3IWF is different, i.e., the flow of SA update provided in the IKEv2 protocol is utilized, but the indication of the N2 message and the key update method of the UE and the AMF are the same.
Further, as a second optional implementation manner, the step 102: sending the updated access layer key for non-3GPP access to a non-3GPP interworking network function N3IWF, comprising:
adding a non-3GPP key updating instruction, an updated access stratum key for non-3GPP access and a calculation parameter for calculating the access stratum key in the created non-access stratum security container.
Here, the calculation parameters for calculating the access stratum key include NAS COUNT.
Sending the non-access stratum secure container to a source AMF through a security context update message, and sending the non-access stratum secure container to a terminal through the source AMF;
and after the terminal completes the switching of the preset connection interface according to the non-access layer security container, sending a non-3GPP key updating instruction and an updated access layer key for non-3GPP access to the N3 IWF.
In this second implementation, when the UE is handed over through 3GPP access, and the root key K is updatedAMFThe K for non-3GPP access stored at the UE and AMF sides can be updated in the current switching processN3IWFThe updating of the key is completed by using an extra IKEv2 message between the UE and the N3IWF is avoided.
The following describes a specific flow of the second implementation.
As shown in fig. 4, the process includes:
step 401: the source gNB sends a handover request to the source AMF.
Step 402: the source AMF selects a target AMF.
Step 403: the source AMF sends a Namf _ Communication _ createcontext Request message to the target AMF.
Step 404: the target AMF sends an Nsmf _ pdusesion _ UpdateSMContext message to the session management function SMF.
Step 405: based on the Target ID, the SMF verifies whether the PDU Session indicated by N2 Handover can be received.
Step 406: the SMF sends an Nsmf _ PDUSESION _ UpdateSMContext Response message to the target AMF.
Step 407: and the target AMF sends a Handover Request to the target gNB.
Step 408: the target gNB sends a handover request acknowledgement to the target AMF.
Step 409: the target AMF sends an Nsmf _ PDUSESION _ UpdateSMContext Request to the SMF.
Step 410: the SMF sends an Nsmf _ PDUSESION _ UpdateSMContext Response to the target AMF.
Step 411: and the target AMF sends Namf _ Communication _ CreateUEContext Response to the source AMF, wherein the Namf _ Communication _ CreateUEContext Response comprises a non-3GPP key updating instruction, an updated access layer key for non-3GPP access and a calculation parameter for calculating the access layer key.
Step 412: and the source AMF sends a switching command to the source gNB, wherein the switching command comprises a non-3GPP key updating instruction, an updated access layer key for non-3GPP access and a calculation parameter for calculating the access layer key.
Step 413: and the source gNB sends a switching command to the UE, wherein the switching command comprises a non-3GPP key updating instruction, an updated access layer key for non-3GPP access and a calculation parameter for calculating the access layer key.
Step 414: the UE sends a handover confirm message to the target gbb.
Here, the UE calculates the AS key K for non-3GPP access through the acquired technical parameters and the key update indicationN3IWF
Step 415: the target gNB sends a Handover Notify message to the target AMF.
Step 416: the target AMF sends a non-3GPP key update indication and an updated access layer key for non-3GPP access to the N3 IWF.
Step 417: and the terminal and the N3IWF inform the completion of the updating of the non-3GPP key through exchanging messages.
In this implementation, when the UE is handed over through 3GPP access, the root key K is updatedAMFThe K for non-3GPP access stored at the UE and AMF sides can be updated in the current switching processN3IWFThe updating of the key is completed by using an extra IKEv2 message between the UE and the N3IWF is avoided.
If the target AMF receives the K sent by the source AMFAMFA key updating instruction, if AMF obtains the information of the non-3GPP connection at the same time, the established NAS security container contains the updating instruction of the non-3GPP keyCalculated new KN3IWFThe key and the parameters for calculating the key, which indication is sent to the UE in the subsequent steps 411, 412, 413.
UE calculates AS key K for non-3GPP access through acquired parameters and key updating indicationN3IWF
The updating of the key in the N3IWF sends an NGAP message to inform of the key updating indication and the updated key through the target AMF, which may be specifically referred to as the flow shown in fig. 2 and fig. 3.
Further, the preset key updating condition in step 102 is when the source AMF triggers an update procedure of a security context corresponding to a 3GPP access mode or triggers an update procedure of a security context corresponding to a non-3GPP access mode;
the step 102 of sending the updated access stratum key for the non-3GPP access to the non-3GPP interworking network function N3IWF includes:
and sending the updated access layer key for non-3GPP access to the N3IWF through a security context updating message.
Here, when the UE is registered in the same AMF through two access technologies at the same time, and authentication occurs through one access mode and security context update is performed, the handover procedure is not involved in the procedure, but the N3IWF may be informed of an indication of core network key update through a security context update message to update the KN3IWFMeanwhile, it is considered that a new K is derived at the UE side and the AMF sideN3IWFTherefore, the updating of the non-3GPP access layer key under the multi-registration scene is realized.
As shown in fig. 5, an embodiment of the present invention further provides a key updating method applied to an N3IWF, including:
step 501: and under the condition of receiving the access layer key for non-3GPP access sent by the target AMF, sending a non-3GPP key updating instruction and a calculation parameter to the terminal, wherein the calculation parameter is a parameter for calculating the updated access layer key for non-3GPP access.
The calculation parameter may specifically comprise NAS COUNT.
Further, sending a non-3GPP key update instruction and the calculation parameters to the terminal includes:
sending a non-3GPP key updating instruction and a calculation parameter to a terminal through a preset message;
the preset message is an internet key exchange authentication Request IKE _ AUTH Request, a creation sub-security association Request Creat Child SA Request or an information exchange message, and the information exchange message is IKE _ information exchange.
The key updating method of the embodiment of the invention sends the non-3GPP key updating instruction and the calculation parameters to the terminal under the condition of receiving the non-3GPP access layer key sent by the target AMF, so as to realize the updating of the non-3GPP access layer key at the terminal side.
As shown in fig. 6, an embodiment of the present invention further provides a key updating method, applied to a terminal, including:
step 601: and acquiring a non-3GPP key updating instruction and a calculation parameter which are sent by the N3IWF, wherein the calculation parameter is a parameter for calculating an updated access layer key for non-3GPP access.
The calculation parameter may specifically comprise NAS COUNT.
Step 602: and acquiring the updated access layer key for non-3GPP access according to the non-3GPP key updating indication and the calculation parameters.
Further, after obtaining the updated access stratum key for the non-3GPP access, the method further includes:
the notification exchange message may be an IKE _ information exchange by notifying the N3IWF of completion of the non-3GPP key update.
Here, the non-3GPP key update is completed by exchanging a message information Exchange.
Further, acquiring the non-3GPP key update indication and the calculation parameters sent by the N3IWF includes:
acquiring a non-3GPP key updating instruction and a calculation parameter through a preset message;
the preset message is an internet key exchange authentication Request IKE _ AUTH Request, a creation sub-security association Request Creat Child SA Request or an informing exchange message, and the informing exchange message is IKE _ information exchange.
It should be noted that the interaction flows between the terminal and the N3IWF and the target AMF are described in detail in the flows shown in fig. 2, fig. 3, and fig. 4, and are not described again here.
According to the key updating method provided by the embodiment of the invention, the terminal acquires the updated access layer key for non-3GPP access according to the non-3GPP key updating indication and the calculation parameters sent by the N3IWF, so that the updating of the non-3GPP access layer key at the terminal side is realized.
As shown in fig. 7, an embodiment of the present invention further provides a network device, which is an access and mobility management function AMF, and includes a memory 720, a processor 700, a transceiver 710, a bus interface, and a computer program stored in the memory 720 and operable on the processor 700, where the processor 700 is configured to read the program in the memory 720 and execute the following processes:
acquiring an updated access layer key for non-3GPP access under the condition that a terminal is registered in a service network of the same public land mobile network PLMN through a 3GPP access mode and a non-3GPP access mode and meets a preset key updating condition;
and sending the updated access layer key for the non-3GPP access to a non-3GPP interactive network function N3IWF through a transceiver.
Where in fig. 7, the bus architecture may include any number of interconnected buses and bridges, with various circuits being linked together, particularly one or more processors represented by processor 700 and memory represented by memory 720. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 710 may be a number of elements including a transmitter and a transceiver providing a means for communicating with various other apparatus over a transmission medium. The processor 700 is responsible for managing the bus architecture and general processing, and the memory 720 may store data used by the processor 700 in performing operations.
Optionally, the preset key updating condition is that the terminal performs preset connection interface switching through a 3GPP access technology, the source AMF updates the root key, and the target AMF determines to use the updated root key;
or, the specific key updating condition is that the source AMF triggers a security context updating process corresponding to the 3GPP access mode or triggers a security context updating process corresponding to the non-3GPP access mode.
Optionally, when the preset key update condition is that the terminal performs preset connection interface switching through a 3GPP access technology, the source AMF updates the root key, and the target AMF determines to use the updated root key; the processor 700, when executing the computer program, may further perform the following steps:
receiving a root key updating indication and an updated root key sent by a source AMF;
calculating an updated non-access stratum key according to the updated root key;
and if the target AMF acquires the N3IWF information from the source AMF, the target AMF establishes connection with the N3IWF and acquires the updated access layer key.
Optionally, the processor 700, when executing the computer program, may further implement the following steps:
and sending a non-3GPP key updating instruction and an updated access layer key for non-3GPP access to the N3 IWF.
Optionally, the processor 700, when executing the computer program, may further implement the following steps:
adding a non-3GPP key updating instruction, an updated access stratum key for non-3GPP access and a calculation parameter for calculating the access stratum key in the created non-access stratum security container;
sending the non-access stratum secure container to a source AMF through a security context update message, and sending the non-access stratum secure container to a terminal through the source AMF;
and after the terminal completes the switching of the preset connection interface according to the non-access layer security container, sending a non-3GPP key updating instruction and an updated access layer key for non-3GPP access to the N3 IWF.
Optionally, when the preset key update condition is that the source AMF triggers an update process of a security context corresponding to a 3GPP access mode or triggers an update process of a security context corresponding to a non-3GPP access mode; the processor 700, when executing the computer program, may further perform the following steps:
and sending the updated access layer key for non-3GPP access to the N3IWF through a security context updating message.
In some embodiments of the invention, there is also provided a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
acquiring an updated access layer key for non-3GPP access under the condition that a terminal is registered in a service network of the same public land mobile network PLMN through a 3GPP access mode and a non-3GPP access mode and meets a preset key updating condition;
and sending the updated access layer key for the non-3GPP access to a non-3GPP interactive network function N3IWF through a transceiver.
When executed by the processor, the program can implement all the implementation manners in the embodiment of the method applied to the AMF side, and is not described herein again to avoid repetition.
As shown in fig. 8, an embodiment of the present invention further provides a network device, where the network device is an access and mobility management function AMF, and the network device includes:
a first obtaining module 801, configured to obtain an updated access stratum key for non-3GPP access when a terminal is registered in a service network of a same public land mobile network PLMN in a 3GPP access manner and a non-3GPP access manner and meets a preset key update condition;
a first sending module 802, configured to send the updated access stratum key for the non-3GPP access to a non-3GPP interworking network function N3 IWF.
In the network device of the embodiment of the present invention, the preset key update condition is that the terminal performs preset connection interface switching through a 3GPP access technology, the source AMF updates the root key, and the target AMF determines to use the updated root key;
or, the specific key updating condition is that the source AMF triggers a security context updating process corresponding to the 3GPP access mode or triggers a security context updating process corresponding to the non-3GPP access mode.
In the network device of the embodiment of the present invention, when the preset key update condition is that the terminal performs preset connection interface switching through a 3GPP access technology, and the source AMF updates the root key, the target AMF determines to use the updated root key;
the first obtaining module comprises:
the receiving submodule is used for receiving a root key updating instruction and an updated root key sent by the source AMF;
the calculation submodule is used for calculating an updated non-access stratum key according to the updated root key;
and the obtaining submodule is used for establishing connection between the target AMF and the N3IWF and obtaining the updated access layer key if the target AMF obtains the N3IWF information from the source AMF.
In the network device of the embodiment of the present invention, the first sending module is configured to send a non-3GPP key update instruction and an updated access stratum key for non-3GPP access to the N3 IWF.
In the network device of the embodiment of the present invention, the first sending module includes:
an adding module, configured to add a non-3GPP key update instruction, an updated access stratum key for non-3GPP access, and a calculation parameter for calculating the access stratum key to the created non-access stratum security container;
the first sending submodule is used for sending the non-access stratum security container to a source AMF through a security context updating message and sending the non-access stratum security container to a terminal through the source AMF;
and the second sending submodule is used for sending a non-3GPP key updating instruction and an updated access stratum key for non-3GPP access to the N3IWF after the terminal completes the switching of the preset connection interface according to the non-access stratum security container.
In the network device of the embodiment of the present invention, when the preset key update condition is that the source AMF triggers an update process of a security context corresponding to a 3GPP access mode or triggers an update process of a security context corresponding to a non-3GPP access mode;
the first sending module is used for sending the updated access layer key for non-3GPP access to the N3IWF through a security context updating message.
The network equipment of the embodiment of the invention acquires the updated access layer key for non-3GPP access under the condition that the terminal is registered in the service network of the same public land mobile network PLMN through a 3GPP access mode and a non-3GPP access mode and meets the preset key updating condition; and sending the updated access layer key for non-3GPP access to a non-3GPP interactive network function N3IWF, thereby realizing the update of the non-3GPP access layer key under the multi-registration scene.
As shown in fig. 9, an embodiment of the present invention further provides a network device, which is a non-3GPP interworking network function N3IWF, and includes a memory 920, a processor 900, a transceiver 910, a bus interface, and a computer program stored in the memory 920 and operable on the processor 900, where the processor 900 is configured to read the program in the memory 920 and execute the following processes:
and under the condition of receiving the access layer key for non-3GPP access sent by the target AMF, sending a non-3GPP key updating instruction and a calculation parameter to the terminal, wherein the calculation parameter is a parameter for calculating the updated access layer key for non-3GPP access.
In fig. 9, among other things, the bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by processor 900, and various circuits, represented by memory 920, being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 910 may be a number of elements, including a transmitter and a transceiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 900 is responsible for managing the bus architecture and general processing, and the memory 920 may store data used by the processor 900 in performing operations.
Optionally, the processor 900 may further implement the following steps when executing the computer program:
sending a non-3GPP key updating instruction and a calculation parameter to a terminal through a preset message;
the preset message is an Internet key exchange authentication request, a sub-security association establishment request or an informing exchange message.
In some embodiments of the invention, there is also provided a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
and under the condition of receiving the access layer key for non-3GPP access sent by the target AMF, sending a non-3GPP key updating instruction and a calculation parameter to the terminal, wherein the calculation parameter is a parameter for calculating the updated access layer key for non-3GPP access.
When executed by a processor, the program can implement all the implementation manners in the above method embodiment applied to the N3IWF side, and is not described herein again to avoid repetition.
As shown in fig. 10, an embodiment of the present invention further provides a network device, where the network device is a non-3GPP interactive network function N3IWF, and the network device includes:
a second sending module 1001, configured to send, to the terminal, a non-3GPP key update instruction and a calculation parameter when receiving an access stratum key for non-3GPP access sent by the target AMF, where the calculation parameter is a parameter used for calculating an updated access stratum key for non-3GPP access.
In the network device of the embodiment of the present invention, the second sending module is configured to send a non-3GPP key update instruction and a calculation parameter to the terminal through a preset message;
the preset message is an Internet key exchange authentication request, a sub-security association establishment request or an informing exchange message.
The network device of the embodiment of the invention sends the non-3GPP key updating instruction and the calculation parameter to the terminal under the condition of receiving the access layer key which is sent by the target AMF and is used for non-3GPP access, so as to realize the updating of the non-3GPP access layer key at the terminal side.
As shown in fig. 11, an embodiment of the present invention further provides a terminal, including: a transceiver, a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:
acquiring a non-3GPP key updating instruction and a calculation parameter sent by an N3IWF, wherein the calculation parameter is a parameter for calculating an updated access layer key for non-3GPP access;
and acquiring the updated access layer key for non-3GPP access according to the non-3GPP key updating indication and the calculation parameters.
Where in fig. 11, the bus architecture may include any number of interconnected buses and bridges, with one or more processors, represented by processor 1100, and various circuits, represented by memory 1120, being linked together. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 1110 may be a number of elements including a transmitter and a transceiver providing a means for communicating with various other apparatus over a transmission medium. For different user devices, the user interface 1130 may also be an interface capable of interfacing with a desired device, including but not limited to a keypad, display, speaker, microphone, joystick, etc.
The processor 1100 is responsible for managing the bus architecture and general processing, and the memory 1120 may store data used by the processor 1100 in performing operations.
Optionally, the processor 1100 is further configured to read the program in the memory 1120, and execute the following steps:
notifying the N3IWF of the completion of the non-3GPP key update by the notify exchange message.
Optionally, the processor 1100 is further configured to read the program in the memory 1120, and execute the following steps:
acquiring a non-3GPP key updating instruction and a calculation parameter through a preset message;
the preset message is an Internet key exchange authentication request, a sub-security association establishment request or an informing exchange message.
In some embodiments of the invention, there is also provided a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:
acquiring a non-3GPP key updating instruction and a calculation parameter sent by an N3IWF, wherein the calculation parameter is a parameter for calculating an updated access layer key for non-3GPP access;
and acquiring the updated access layer key for non-3GPP access according to the non-3GPP key updating indication and the calculation parameters.
When executed by the processor, the program can implement all implementation manners in the above-described embodiment of the key updating method applied to the terminal side, and details are not described here again to avoid repetition.
As shown in fig. 12, an embodiment of the present invention further provides a terminal, including:
a second obtaining module 1201, configured to obtain a non-3GPP key update instruction and a calculation parameter sent by an N3IWF, where the calculation parameter is a parameter used to calculate an updated access layer key for non-3GPP access;
a third obtaining module 1202, configured to obtain, according to the non-3GPP key update instruction and the calculation parameter, an updated access stratum key for non-3GPP access.
The terminal of the embodiment of the invention further comprises:
and the notification module is used for notifying the N3IWF of completing the non-3GPP key updating through notifying the exchange message.
In the terminal of the embodiment of the present invention, the second obtaining module is configured to obtain the non-3GPP key update indication and the calculation parameter through a preset message;
the preset message is an Internet key exchange authentication request, a sub-security association establishment request or an informing exchange message.
The terminal of the embodiment of the invention obtains the updated access layer key for non-3GPP access according to the non-3GPP key updating indication and the calculation parameters sent by the N3IWF, thereby realizing the updating of the non-3GPP access layer key at the terminal side.
In various embodiments of the present invention, it should be understood that the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (30)

1. A key updating method is applied to an access and mobile management function (AMF), and is characterized by comprising the following steps:
acquiring an updated access layer key for non-3GPP access under the condition that a terminal is registered in a service network of the same public land mobile network PLMN through a 3GPP access mode and a non-3GPP access mode and meets a preset key updating condition;
and sending the updated access layer key for non-3GPP access to a non-3GPP interactive network function N3IWF, wherein the updated access layer key for non-3GPP access is used for triggering the N3IWF to send a non-3GPP key updating instruction and a calculation parameter to a terminal, and the calculation parameter is a parameter used for calculating the updated access layer key for non-3GPP access.
2. The key updating method according to claim 1, wherein the predetermined key updating condition is that the terminal performs the predetermined connection interface handover through a 3GPP access technology, the source AMF updates the root key, and the target AMF determines to use the updated root key;
or, the preset key updating condition is that the source AMF triggers a security context updating process corresponding to the 3GPP access mode or triggers a security context updating process corresponding to the non-3GPP access mode.
3. The key updating method according to claim 2, wherein when the predetermined key updating condition is that the terminal performs the predetermined connection interface handover via the 3GPP access technology, the source AMF updates the root key, and the target AMF determines to use the updated root key;
the acquiring the updated access stratum key for the non-3GPP access includes:
receiving a root key updating indication and an updated root key sent by a source AMF;
calculating an updated non-access stratum key according to the updated root key;
and if the target AMF acquires the N3IWF information from the source AMF, the target AMF establishes connection with the N3IWF and acquires the updated access layer key.
4. The key update method of claim 3, wherein sending the updated access stratum key for non-3GPP access to a non-3GPP interworking network function N3IWF comprises:
and sending a non-3GPP key updating instruction and an updated access layer key for non-3GPP access to the N3 IWF.
5. The key update method of claim 3, wherein sending the updated access stratum key for non-3GPP access to a non-3GPP interworking network function N3IWF comprises:
adding a non-3GPP key updating instruction, an updated access stratum key for non-3GPP access and a calculation parameter for calculating the access stratum key in the created non-access stratum security container;
sending the non-access stratum secure container to a source AMF through a security context update message, and sending the non-access stratum secure container to a terminal through the source AMF;
and after the terminal completes the switching of the preset connection interface according to the non-access layer security container, sending a non-3GPP key updating instruction and an updated access layer key for non-3GPP access to the N3 IWF.
6. The key updating method according to claim 2, wherein when the preset key updating condition is that the source AMF triggers a security context updating process corresponding to a 3GPP access mode or triggers a security context updating process corresponding to a non-3GPP access mode;
sending the updated access layer key for non-3GPP access to a non-3GPP interworking network function N3IWF, comprising:
and sending the updated access layer key for non-3GPP access to the N3IWF through a security context updating message.
7. A key updating method is applied to a non-3GPP interactive network function N3IWF, and is characterized by comprising the following steps:
and under the condition of receiving the access layer key for non-3GPP access sent by the target AMF, sending a non-3GPP key updating instruction and a calculation parameter to the terminal, wherein the calculation parameter is a parameter for calculating the updated access layer key for non-3GPP access.
8. The rekeying method of claim 7, wherein sending the non-3GPP rekeying indication and the calculation parameter to the terminal comprises:
sending a non-3GPP key updating instruction and a calculation parameter to a terminal through a preset message;
the preset message is an Internet key exchange authentication request, a sub-security association establishment request or an informing exchange message.
9. A key updating method is applied to a terminal, and is characterized by comprising the following steps:
acquiring a non-3GPP key updating instruction and a calculation parameter sent by an N3IWF, wherein the calculation parameter is a parameter for calculating an updated access layer key for non-3GPP access;
and acquiring the updated access layer key for non-3GPP access according to the non-3GPP key updating indication and the calculation parameters.
10. The key updating method of claim 9, wherein after acquiring the updated access stratum key for the non-3GPP access, further comprising:
notifying the N3IWF of the completion of the non-3GPP key update by the notify exchange message.
11. The method of claim 9, wherein obtaining the non-3GPP key update indication and the calculation parameters sent by the N3IWF comprises:
acquiring a non-3GPP key updating instruction and a calculation parameter through a preset message;
the preset message is an Internet key exchange authentication request, a sub-security association establishment request or an informing exchange message.
12. A network device, the network device being an access and mobility management function, AMF, comprising: a transceiver, a memory, a processor, and a program stored on the memory and executable on the processor, wherein the processor when executing the program performs the steps of:
acquiring an updated access layer key for non-3GPP access under the condition that a terminal is registered in a service network of the same public land mobile network PLMN through a 3GPP access mode and a non-3GPP access mode and meets a preset key updating condition;
and sending the updated access layer key for non-3GPP access to a non-3GPP interactive network function N3IWF through a transceiver, wherein the updated access layer key for non-3GPP access is used for triggering the N3IWF to send a non-3GPP key updating instruction and a calculation parameter to a terminal, and the calculation parameter is a parameter used for calculating the updated access layer key for non-3GPP access.
13. The network device according to claim 12, wherein the predetermined key update condition is that the terminal performs the predetermined connection interface handover through a 3GPP access technology, the source AMF updates the root key, and the target AMF determines to use the updated root key;
or, the preset key updating condition is that the source AMF triggers a security context updating process corresponding to the 3GPP access mode or triggers a security context updating process corresponding to the non-3GPP access mode.
14. The network device according to claim 13, wherein when the predetermined key update condition is that the terminal performs the predetermined connection interface handover via the 3GPP access technology, the source AMF updates the root key, and the target AMF determines to use the updated root key;
the processor, when executing the program, further implements the steps of:
receiving a root key updating indication and an updated root key sent by a source AMF;
calculating an updated non-access stratum key according to the updated root key;
and if the target AMF acquires the N3IWF information from the source AMF, the target AMF establishes connection with the N3IWF and acquires the updated access layer key.
15. The network device of claim 14, wherein the processor when executing the program further performs the steps of:
and sending a non-3GPP key updating instruction and an updated access layer key for non-3GPP access to the N3 IWF.
16. The network device of claim 14, wherein the processor when executing the program further performs the steps of:
adding a non-3GPP key updating instruction, an updated access stratum key for non-3GPP access and a calculation parameter for calculating the access stratum key in the created non-access stratum security container;
sending the non-access stratum secure container to a source AMF through a security context update message, and sending the non-access stratum secure container to a terminal through the source AMF;
and after the terminal completes the switching of the preset connection interface according to the non-access layer security container, sending a non-3GPP key updating instruction and an updated access layer key for non-3GPP access to the N3 IWF.
17. The network device according to claim 13, wherein when the preset key update condition is that the source AMF triggers a security context update procedure corresponding to a 3GPP access scheme or triggers a security context update procedure corresponding to a non-3GPP access scheme;
the processor, when executing the program, further implements the steps of:
and sending the updated access layer key for non-3GPP access to the N3IWF through a security context updating message.
18. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the key update method according to any one of claims 1 to 6.
19. A network device, the network device being a non-3GPP interworking network function, N3IWF, comprising: a transceiver, a memory, a processor, and a program stored on the memory and executable on the processor, wherein the processor when executing the program performs the steps of:
and under the condition of receiving the access layer key for non-3GPP access sent by the target AMF, sending a non-3GPP key updating instruction and a calculation parameter to the terminal, wherein the calculation parameter is a parameter for calculating the updated access layer key for non-3GPP access.
20. The network device of claim 19, wherein the processor when executing the program further performs the steps of:
sending a non-3GPP key updating instruction and a calculation parameter to a terminal through a preset message;
the preset message is an Internet key exchange authentication request, a sub-security association establishment request or an informing exchange message.
21. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the key update method according to any one of claims 7 to 8.
22. A terminal, comprising: a transceiver, a memory, a processor, and a program stored on the memory and executable on the processor, wherein the processor when executing the program performs the steps of:
acquiring a non-3GPP key updating instruction and a calculation parameter sent by an N3IWF, wherein the calculation parameter is a parameter for calculating an updated access layer key for non-3GPP access;
and acquiring the updated access layer key for non-3GPP access according to the non-3GPP key updating indication and the calculation parameters.
23. The terminal of claim 22, wherein the processor, when executing the program, further performs the steps of:
notifying the N3IWF of the completion of the non-3GPP key update by the notify exchange message.
24. The terminal of claim 22, wherein the processor, when executing the program, further performs the steps of:
acquiring a non-3GPP key updating instruction and a calculation parameter through a preset message;
the preset message is an Internet key exchange authentication request, a sub-security association establishment request or an informing exchange message.
25. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the key update method according to any one of claims 9 to 11.
26. A network device, being an access and mobility management function, AMF, comprising:
a first obtaining module, configured to obtain an updated access stratum key for non-3GPP access when a terminal is registered in a service network of a same public land mobile network PLMN in a 3GPP access manner and a non-3GPP access manner and meets a preset key update condition;
the first sending module is used for sending the updated access layer key for non-3GPP access to a non-3GPP interactive network function N3IWF, the updated access layer key for non-3GPP access is used for triggering the N3IWF to send a non-3GPP key updating instruction and calculation parameters to the terminal, and the calculation parameters are parameters used for calculating the updated access layer key for non-3GPP access.
27. The network device of claim 26, wherein the predetermined key update condition is that the terminal performs the predetermined connection interface handover through a 3GPP access technology, the source AMF updates a root key, and the target AMF determines to use the updated root key;
or, the preset key updating condition is that the source AMF triggers a security context updating process corresponding to the 3GPP access mode or triggers a security context updating process corresponding to the non-3GPP access mode.
28. A network device, the network device being a non-3GPP interworking network function, N3IWF, comprising:
and a second sending module, configured to send, to the terminal, a non-3GPP key update instruction and a calculation parameter when receiving an access stratum key for non-3GPP access sent by the target AMF, where the calculation parameter is a parameter used for calculating an updated access stratum key for non-3GPP access.
29. The network device of claim 28, wherein the second sending module is configured to send a non-3GPP key update indication and the calculation parameter to the terminal through a preset message;
the preset message is an Internet key exchange authentication request, a sub-security association establishment request or an informing exchange message.
30. A terminal, comprising:
a second obtaining module, configured to obtain a non-3GPP key update instruction and a calculation parameter sent by an N3IWF, where the calculation parameter is a parameter used for calculating an updated access layer key used for non-3GPP access;
and a third obtaining module, configured to obtain, according to the non-3GPP key update instruction and the calculation parameter, an updated access stratum key for non-3GPP access.
CN201810899168.9A 2018-08-08 2018-08-08 Key updating method, network equipment and terminal Active CN110830996B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810899168.9A CN110830996B (en) 2018-08-08 2018-08-08 Key updating method, network equipment and terminal

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810899168.9A CN110830996B (en) 2018-08-08 2018-08-08 Key updating method, network equipment and terminal

Publications (2)

Publication Number Publication Date
CN110830996A CN110830996A (en) 2020-02-21
CN110830996B true CN110830996B (en) 2022-04-19

Family

ID=69540767

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810899168.9A Active CN110830996B (en) 2018-08-08 2018-08-08 Key updating method, network equipment and terminal

Country Status (1)

Country Link
CN (1) CN110830996B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115915124A (en) * 2021-08-18 2023-04-04 中兴通讯股份有限公司 Key updating method, network element, user equipment and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101577909A (en) * 2008-05-05 2009-11-11 大唐移动通信设备有限公司 Method, system and device for acquiring trust type of non-3GPP access system
CN101983517A (en) * 2008-04-02 2011-03-02 诺基亚西门子通信公司 Security for a non-3gpp access to an evolved packet system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103517252A (en) * 2012-06-21 2014-01-15 中兴通讯股份有限公司 Packet gateway identification information updating method, AAA server and packet gateway
KR102549946B1 (en) * 2017-01-09 2023-06-30 삼성전자주식회사 Method, and associated parameter for routing initial access request message of terminal in mobile communication

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101983517A (en) * 2008-04-02 2011-03-02 诺基亚西门子通信公司 Security for a non-3gpp access to an evolved packet system
CN101577909A (en) * 2008-05-05 2009-11-11 大唐移动通信设备有限公司 Method, system and device for acquiring trust type of non-3GPP access system

Non-Patent Citations (8)

* Cited by examiner, † Cited by third party
Title
"S3-180023_Discussion on multi NAS in same PLMN - NAS message handling after first RR";ZTE;《3GPP TSG SA WG3 (Security) Meeting#90》;20180126;正文第1-3页 *
"S3-180027_Multi NAS in same PLMN - NAS message handling";ZTE;《3GPP TSG SA WG3 (Security) Meeting #90》;20180115;全文 *
3GPP.《3rd Generation Partnership Project *
S2-170739 "Updated procedures for interworking with non-3GPP";Qualcomm Incorporated;《SA WG2 Meeting #S2-119》;20170206;全文 *
S2-173178 "23.502: Re-registration procedure via untrusted non-3GPP access";Nokia等;《SA WG2 Meeting #121》;20170509;全文 *
S3-182230 "Clarifications on AS key update for non-3GPP access";CATT;《3GPP TSG-SA WG3 Meeting #92》;20180813;全文 *
Security architecture and procedures for 5G system (Release 15)》.《3GPP TS 33.501 V15.1.0 (2018-06)》.2018,全文. *
Technical Specification Group Services and System Aspects *

Also Published As

Publication number Publication date
CN110830996A (en) 2020-02-21

Similar Documents

Publication Publication Date Title
CN110945892B (en) Security implementation method, related device and system
CN109600804B (en) Safety protection method, device and system
US9930530B2 (en) Methods and apparatuses facilitating synchronization of security configurations
EP2663107B1 (en) Key generating method and apparatus
EP2584802B1 (en) Methods and apparatuses for security control in a mobile communication system supporting emergency calls
US8707045B2 (en) Method and apparatus for traffic count key management and key count management
CN109560919B (en) Key derivation algorithm negotiation method and device
EP3255914A1 (en) Key generation method, device and system
EP3737032B1 (en) Key updating method and apparatus
US11445365B2 (en) Communication method and communications apparatus
EP2648437B1 (en) Method, apparatus and system for key generation
CN113676901B (en) Key management method, device and system
US11751160B2 (en) Method and apparatus for mobility registration
CN113170369A (en) Method and apparatus for security context handling during an intersystem change
CN110830996B (en) Key updating method, network equipment and terminal
WO2021073382A1 (en) Registration method and apparatus
CN112400335A (en) Method and computing device for performing data integrity protection
WO2018069043A1 (en) Method for establishing a connection of a mobile terminal to a mobile radio communication network and communication network device
CN108712742B (en) Internet of Things network security optimization method, user terminal and network side equipment
CN113810903A (en) Communication method and device
CN111866870A (en) Key management method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right
TA01 Transfer of patent application right

Effective date of registration: 20210611

Address after: 100085 1st floor, building 1, yard 5, Shangdi East Road, Haidian District, Beijing

Applicant after: DATANG MOBILE COMMUNICATIONS EQUIPMENT Co.,Ltd.

Address before: 100191 No. 40, Haidian District, Beijing, Xueyuan Road

Applicant before: Telecommunications Science and Technology Research Institute Co.,Ltd.

GR01 Patent grant
GR01 Patent grant